On Mon, 11 Apr 2011, David Touzeau wrote:
It's possible your MTA inserts a Content-Length: header before SA sees the
message. If so, then checking it is fairly trivial. Try to determine
whether your MTA does this.
If not, SA does not currently (that I can find) expose the raw size of the
message to rules. Having it generate an X-Content-Length: pseudoheader
probably wouldn't be too difficult.
For now, trivially, you can do something like this:
header __HDR_BYTES ALL =~ /./
tflags __HDR_BYTES multiple
rawbody __BODY_BYTES /./
tflags __BODY_BYTES multiple
meta SZ_GT_200K (__HDR_BYTES + __BODY_BYTES) > 200000
...but that will probably do Bad Things to your performance.
Many thanks !!!
I will do tests in this way !
I _strongly_ suggest you see whether your MTA can be configured to add a
Content-Length: header before trying those rules.
Also, they were off the top of my head, and untested.
Best of luck. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Public Education: the bureaucratic process of replacing
an empty mind with a closed one. -- Thorax
-----------------------------------------------------------------------
3 days until Thomas Jefferson's 268th Birthday
